Cybersecurity company CrowdStrike has been sued by investors who say it provided false claims about its Falcon platform after a bad security update led to a massive global IT outage causing the stock price to tumble almost 38%.
The plaintiffs claim that the massive IT outage that occurred on July 19, 2024, proves CrowdStrike’s claims that their cybersecurity platform is thoroughly tested and validated are false.
As a result of this incident and its aftermath, CrowdStrike’s stock price has tumbled almost 38% from $343 on July 18 to $214, causing significant financial losses to investors.
The class action lawsuit submitted by the Plymouth County Retirement Association in the U.S. District Court of Austin, Texas, seeks compensatory damages for these losses.
A bad update causes a global IT outage
On July 19, Crowdstrike pushed out a faulty Falcon sensor update to Windows devices running the security software. The update slipped past Crowdstrike’s internal tests due to a bug in its content validator and inadequate testing procedures.
The update was received by 8,500,000 Windows devices, if not more, causing an out-of-bounds memory read when processed by Falcon, leading to the operating system crashing with Blue Screen of Death (BSOD).
CrowdStrike is widely used in enterprises, including airports, hospitals, government organizations, the media, and financial firms, causing catastrophic, costly, and even dangerous IT outages.
As restoring systems required staff to remove the faulty update manually, it took days for some companies to resume normal operations, leading to extended outages and delays.
While most have returned to normal operations, the fallout from the incident continues to unfold on multiple levels, including elevated cybercrime activity, loss of trust, and litigation threats.
According to the plaintiffs, the faulty Falcon update proved that contrary to CrowdStrike’s assurances around the diligence in its procedures and the efficacy and reliability of the Falcon platform, updates were inadequately tested and controlled, and the risk of outages is high.
The class action alleges that stockholders were defrauded by CrowdStrike’s knowingly false statements about the quality of its products and procedures.
“Because of their positions and access to material, nonpublic information, the Individual Defendants knew or recklessly disregarded that the adverse facts specified herein had not been disclosed to and were being concealed from the investing public and that the positive representations that were being made were false and misleading.” – Class action document.
To reflect the extent of the losses, the lawsuit mentions that the CrowdStrike stock price fell by 11% on the day of the incident, then another 13.5% on July 22, when Congress called CEO George Kurtz for a testimony, and another 10% on July 29 following news that Delta Airlines, one of the impacted entities, hire an attorney to seek damages.
The plaintiff alleges violations of Sections 10(b) and 20(a) of the Exchange Act and seeks compensation.
Financial impact
The IT outage caused by the CrowdStrike Falcon update has caused massive financial losses to impacted organizations, with many of them exploring litigation pathways to get some of it back.
Delta Airlines CEO Ed Bastian previously stated that the outage forced the cancellation of 2,200 flights for the company, resulting in losses estimated at $500,000,000.
The firm has already hired a law firm that will seek compensation from CrowdStrike and Microsoft, which is now in the crosshairs despite not being responsible for the incident.
Market analysts estimate that the outage has caused big enterprises $5.4 billion in losses.
A report by Guy Carpenter projects the estimated insured losses resulting from the bad Falcon update to be between $300 million and $1 billion, while CyberCube have raised the figure to $1.5 billion.
